Twitter is bracing for fines of up to $250 million in a Federal Trade Commission probe of the social media giant's use of accountholders' phone numbers and email addresses for targeted ads.
The agency has told the San Francisco-based company that the incident -- which Twitter copped to in October when it informed users that information provided for safety or security purposes, such as two-factor authentication, had been inadvertently matched to an advertiser's marketing list -- violates a 2011 consent agreement with the FTC.
That deal required Twitter to establish an information security program to protect non-public consumer information and to obtain independent security assessments every other year, according to a regulatory filing.
Twitter said in the filing that it had received a draft complaint from the FTC on July 28 with details of the alleged violations.
The company promised users it has "addressed the issue" and is "no longer using phone numbers or email addresses collected for safety or security purposes" to target ads.
The massive tech company has faced a barrage of concerns in recent weeks after hackers targeted employees to gain access to the accounts of at least 130 users-- including high-profile figures such as Kim Kardashian, Elon Musk, and Barack Obama-- to set up a cryptocurrency scam that reaped $117,000.
Three people were arrested in the case last week.
Following the attacks, both Democratic and GOP lawmakers urged Twitter CEO Jack Dorsey to address the public's concern over the data breach and fix potential vulnerabilities in Twitter's security systems.
"We are continuing to assess what other malicious activity the attackers may have conducted and the extent to which non-public data related to these accounts was compromised," Twitter said of the hacks in its regulatory filing. "We are also taking steps to secure our systems while our investigations are ongoing."